Subaru Corporation

Search

Risk Management: Cybersecurity

Our Approach

The use of digital data is essential for SUBARU in the course of its business activities. The use of digital data is not limited to traditional information systems but covers diverse realms, including facilities, products, and a whole range of services offered by SUBARU. Being aware of our social responsibility to handle digital data in these realms safely, we are undertaking cybersecurity protection activities Group-wide. In addition, in light of the current situation regarding the use of digital data, the Basic Cybersecurity Policy was revised in July 2024.

Scope of Cybersecurity for the SUBARU Group
Scope of Cybersecurity for the SUBARU Group Scope of Cybersecurity for the SUBARU Group

Basic Cybersecurity Policy

Objective

SUBARU CORPORATION and its Group companies (hereinafter referred to as “the SUBARU Group") put in place a Basic Cybersecurity Policy to protect all our conceivable products, services, and information assets from threats arising in the course of our business activities and earn the trust of our customers and society as a whole.


Scope

This basic policy applies to all executives and employees of the SUBARU Group, and also to the employees and other staff of SUBARU’s subcontractors.


Initiatives

  1. The SUBARU Group will comply with laws, regulations, and standards, as well as security-related contractual obligations to our customers.
  2. The SUBARU Group will put in place and operate management systems and internal regulations concerning cybersecurity.
  3. The SUBARU Group will establish cybersecurity measures tailored to our information assets and strive to prevent and minimize cybersecurity risks.
  4. The SUBARU Group will conduct monitoring for cybersecurity threads. Should a cybersecurity incident occur, SUBARU will address it swiftly and appropriately, taking steps to prevent recurrence.
  5. The SUBARU Group will strive to ensure cybersecurity by providing both executives and employees with education and training, as well as undertaking other efforts to raise their awareness of this issue.
  6. The SUBARU Group will continually review and strive to improve the aforementioned activities.

Revised in July 2024

Management System

SUBARU has established an organizational structure for the entire Group to maintain and improve cybersecurity. This includes appointing a Chief Information Officer (CIO) selected by the Board of Directors and the formation of the Cybersecurity Meeting with the CIO as its presiding manager. The Cybersecurity Meeting deliberates on cybersecurity activities discussed by each subcommittee and decides how to respond to cybersecurity issues in the SUBARU Group, formulate cybersecurity audit plans, and review rules and policies. In addition, the SUBARU Security Incident Response Team (SBR-SIRT) monitors threats to protected assets of the SUBARU Group in times of normalcy, and in an emergency, works to quickly and appropriately protect and restore protected assets. These activities include a series of response procedures covering incident detection, reporting, recovery, and prevention of recurrence. In the event of a serious incident, reports are made to management and external agencies are contacted.

Targets and Metrics

Based on the belief that cybersecurity is the foundation of optimal governance, the SUBARU Group is engaged in the following activities to protect all stakeholders.

(1) Expanding the scope of SUBARU policies and rules to the supply chain

(2) Continuously strengthening cyber-resilience to support value creation

(3) Strengthening factory security to support manufacturing reforms

(4) Reinforcing vehicle cybersecurity to keep pace with vehicle development and complying with laws and regulations of each country

Recognition Cybersecurity Risks

Within cybersecurity, we recognize that security, especially in the supply chain, is an important risk directly related to the overall safety and sustainability of a company. Inadequate security at this level could lead to the leakage of confidential information, the suspension of a business partner’s business, or even the suspension of SUBARU’s business, as well as product quality issues and a loss of trust. Therefore, it is critical to strengthen security measures throughout the entire supply chain. SUBARU Group will continue to provide customers with “Enjoyment and Peace of Mind” and prevent damage to the SUBARU brand value by strengthening cooperation with business partners, effectively managing these risks through regular security assessments and risk management, and increasing the resilience of the supply chain.

Initiatives

Support for Cybersecurity

Training Programs and Drills

In FYE March 2025, SUBARU conducted e-learning and video training programs and drills based on cybersecurity management systems in the three domains of In-Car (interior systems), Out-Car (exterior systems), and information systems. In particular, in the area of information systems, we conduct targeted attack email drills at least once a year on an ongoing basis.
In the same area, we conducted cybersecurity incident response drills, including for management. We plan to continue conducting cybersecurity-related drills at least once a year.

Objective: Promote understanding of cybersecurity and mitigate practical security risks
Program details: Education and drills on internal rules requiring compliance in each of the three domains
Course participants:

  •  For in-car system developers: 208
  •  For in-car ECU developers: 28
  •  For general employees and those related to information systems: 12,072
  •  Targeted attack email drills for SUBARU dealerships: 9,134
  •  Cybersecurity incident response drills, including for managers: 19

Conducting Internal Audits and Strengthening Security at Business Partners

As well, we regularly carry out internal audits based on our management system on an ongoing basis.
We have been strengthening collaboration with overseas Group companies since FYE March 2022 through regular information sharing and carrying out improvement activities in response to assessments based on Company-wide cybersecurity regulations.
In recent times, due to the significant impact of cybersecurity at the supply chain level on SUBARU’s business continuity, we interview business partners once a year about the status of their security measures and provide advice on how to strengthen security when necessary.

Personal Information Protection Initiatives

Within the SUBARU Group, to comply with personal data protection regulations, such as Japan’s Act on the Protection of Personal Information and the EU General Data Protection Regulation (GDPR), we have established management regulations, established systems, and publicly disclosed our privacy policy. Under this system, the officer in charge of the Legal Department serves as the chief privacy officer and the chairperson of the Personal Information Protection Committee, which is composed of executive officers from relevant departments and meets at least once a year. The committee reviews the SUBARU Group’s personal information protection activities, promoting the PDCA cycle in these activities.
In FYE March 2025, we revised SUBARU’s management regulations and reviewed the roles of executive officers and the criteria for submitting matters to the Personal Information Protection Committee in order to further enhance the efficiency and effectiveness of our personal information protection activities.
We are also promoting activities across Group companies worldwide to establish management frameworks that enable the responsible utilization of personal information in compliance with our personal information protection regulations.


Key Initiatives in FYE March 2025

(1) Compliance with Japan’s Act on the Protection of Personal Information

  • Specialized training for SUBARU’s executive officers, as well as employees of SUBARU, its Group companies, and dealerships (FYE March 2025 participants: 897)
  • Verification and improvement of the handling of personal information domestically by SUBARU and dealerships
  • Verification and improvement of compliance with relevant regulations across all SUBARU departments
  • Verification and improvement of the management of personal information by SUBARU and dealerships’ outsourced personal information handling contractors (domestic)

(2) Compliance with overseas personal information protection regulations

  • Specialized training for SUBARU’s executive officers, as well as employees of SUBARU and its Group companies (FYE March 2025 participants: 201)
  • Inspection and verification of the handling of personal information overseas by relevant SUBARU departments

In FYE March 2026, we will continue to monitor developments toward the enforcement of laws in Japan and other countries, as well as the implementation policies of those laws by relevant authorities to enhance the personal data protection efforts of SUBARU and our Group companies and dealerships worldwide.